Mobile Phone SIM Swapping Fraud

Description of the Threat

As mobile number and SMS are increasingly used for two-factor authentication and one-time-password, hackers are trying to get the number ported to other SIM and have their way in with all personal online services. In the USA, these scams have doubled over the years: 2013 (1038), 2016 (2658) and currently the Spear Phishing -type attack is roaming in Africa.

The generic attack vector is as follows:

 1. Hacker acquires target’s usernames (on sale in different dark websites) for profitable accounts (Instagram, Bitcoin, Online banking, etc.)

 2. Hacker collects other essential information from target’s public knowledge (mobile number, birthday, address, family members and their birthday information, etc.) or going through target’s trash bin (bank statements, bills, copies of passport, visa, ID cards, driving licenses)

 3. With the above information, the hacker:

• Tries to break target’s mobile online service account and then swaps the number
• Tries to deceive mobile operators service personnel to swap the number to different a SIM
• Gets the target’s phone in his hands for a few minutes and orders the SIM swap

 4. Hacker swaps the mobile number from target’s SIM card to other SIM card in his possession

 5. Hacker can reset the target’s account passwords using the mobile number as a recovery method

Some of the current online service providers take the mobile number as irrevocable credential and authorise significant transactions, e.g., money transfer, online payments, and username and password changes.

Protection

Protection against the above kind of Spear Phishing may be achieved with:

• Have all your essential devices protected by anti-virus, VPN and firewall.
• Do not download any apps or open unfamiliar pages with the device you are using for essential online services
• Ensure that your session happens with original account pages and not proxied, or man-in-the-middle created
• Keep the personal information that is used to answer security questions out from public access
• Use strong passwords (> 12 characters, a sentence that makes sense to you, replace letters with numbers, symbols and capitals), Do not use variations of the same passwords in different accounts.
• Harden your mobile phone management account. Most mobile operators provide stronger access management than just username and password.
• Use other numbers (another mobile number, VOIP-number) as trusted phone numbers in essential accounts.
• Use other strong authentication methods (if the service provider has options).

References:

1. https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

2. https://www.fin24.com/Finweek/Featured/the-rise-of-sim-swap-fraud-20170906

3. https://www.techjaja.com/sim-card-swap-fraud-explained/

4. https://www.quora.com/How-do-I-avoid-SIM-Swap-Frauds

5. https://motherboard.vice.com/en_us/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks

Tailored Cyber Attack on Military Mobile Devices

Incident

Early in July 2018, Israeli security agencies announced that the Hamas had installed spyware on Israeli soldiers’ smartphones to collect. About 100 Israelis fell victim to the attack that came in the form of fake World Cup and online dating apps that had been uploaded to the Google Play Store, the official app store of Google.

Effect

Once the apps were installed on the victims’ phones, the highly invasive malware was then able to carry out the following malicious activities:

• Record the user’s phone calls
• Take a picture when the user receives a call.
• Steal the user’s contacts.
• Steal the user’s SMS messages.
• Steal all images and videos stored on the mobile device and information on where they were taken.
• Capture the user’s GPS location.
• Take random recordings of the user’s surroundings.
• Steal files and photos from the mobile device’s storage.

Pattern

This tactic has been used before:

• In early 2017, the Viperat spyware targeted Israeli soldiers serving around the Gaza strip, leveraging social engineering techniques to steal photos and audio files from their smartphones. 
• In March 2016, ‘SmeshApp’, a calling and messaging app on Google Play store, was allegedly used by Pakistan in to spy on Indian military personnel.
• Further, in 2016, a Russian APT group was suspected of using Android spyware to track Ukrainian field artillery units.

What to do for prevention

1. Armed Forces can provide troops with particular mobile devices that are managed, secured and supported by an exclusive service provider.
2. Soldiers personal mobile devices can be installed with a unique security application that protects devices from threats at device, application and network levels.
3. Soldier’s can be guided to be aware of these spyware and avoid their injection.
4. Armed Forces may ban the use of smart devices in duty entirely.

References:

1. https://gbhackers.com/military-mobile-devices-spyware/

2. https://blog.checkpoint.com/2018/07/05/an-invasive-spyware-attack-on-military-mobile-devices/

Opportunities and Constraints in Applying Artificial Intelligence in Military Enterprise

Introduction

Artificial Intelligence (AI) stands out as a new magical way to transform the digital age even further heights. Are the Armed Forces, as part of modern society, ready to apply the AI and use it to gain advantages against adversaries or are they unable to benefit from discrete innovations? How can we assess the readiness of military enterprise in adopting or innovating new capabilities enhanced by the AI related technologies?

The short paper uses an enterprise architecture (EA) tool developed specially for military enterprises to assess the opportunities and challenges in adapting the benefits of AI. The EA tool analyses the strategic posture and operational processes of a military force. Furthermore, it focuses primarily on the command and control related capabilities including sensemaking, decision making, and organisational learning. Additionally, the tool helps to analyse the readiness of information, security and technical structures of armed forces.

Theory and literature review

A military enterprise can be defined as open, complex, a socio-technical system that exists in the national and geopolitical environment. The enterprise is evolving gradually being affected by its history,culture, surrounding society, and what opportunities are available for the future. The knowledge-driven evolutionary model is used to compose an EA tool that helps military architects to analyse opportunities and constraints in evolving the military with AI based capabilities.

Using the Thorpe et al. view of the evolution of business knowledge, Mattila and Parkinson define the evolutionary roadmap for strategic posture in confrontation, doctrinal improvement, command and control, and military information management. The supporting technical layers of information security and ICT infrastructure are studied correspondingly and combined in the framework. 

The EA tool merges the above layers and defines the forces acting within the structure presented in Figure 1.

Figure 1: Military enterprise structure from enterprise architecture viewpoint.

A literature survey was made to create an understanding of the current opportunities and challenges that enterprises feel they are facing when considering improving their business with AI enhanced features. The survey was done through an Internet search explained in Table 1. 
Table 1: Parameters of the literature survey on AI implementation

The four areas of AI opportunities and challenges and their eight key issues create the performance metrics for the EA tool in the following section.

Research

The approach of this research is pragmatic since the work intends to anticipate opportunities and constraints when military applies AI to accelerate their C4I transformations. The postulated EA tool is composed of previous work and separate studies using qualitative deduction. The literature review provides a statistical data concerning opportunities and challenges in applying AI in any enterprise. The collected AI data is projected to a case study of an anonymous Armed Forces (Blue Force) C4I structure and its intended improvement. The feasibility of the EA tool is measured by its ability to anticipate the accelerators and obstacles in the journey of AI implementation. Further study is needed to measure the value of the information concerning accelerators and barrier when AI features are being implemented.

The case study of the Blue Force uses the EA tool to make better sense of the whole situation of the enterprise in aiming to apply AI and gain an advantage over the adversaries is illustrated in Figure 2. The Blue Force seems to be gaining advantage against their adversaries from the evolutionary posture since it has been acquiring the modern armament steadily. There may, however, be a tendency towards the operational posture as the cost of contemporary armament is rising and the available workforce is diminishing. 

The Blue Force strategy for military process performance seems to be on a path towards coordination aiming for joint force capabilities. Subsequently, there are also indications towards unified logistics and replicated force generation. 

The essential parts of the Blue Force command and control capabilities are based on learning by drilling and somewhat by understanding.  Furthermore, the Blue Force decision making has an authoritarian approach with a touch of shared intent. The sensemaking seems to focus to the areas of known and knowable. 

The information management of the Blue Force is somewhere between folder and page management, and the information security is mainly based on controls within each domain. There seem to be advanced bandwidth and mobility services available, whereas computing seems decentralised and connected no further than forest level. ICT operations seem to be at system management level.

Figure 2: Military enterprise structure from enterprise architecture viewpoint.

Results and discussion

The specific concerns in AI implementation into generic enterprises are reflected against the results of analysis of the Blue Force enterprise structure. Table 2 is illustrating this reflection either positive, i.e., opportunity or negative, i.e., challenge. The direct guidance is either utilising the opportunities or trying to mitigate the challenges in coming AI implementation within the Blue Force.

Table 2: Testing the EA tool in analysing opportunities and challenges in applying AI within the Blue Force

The EA tool supports the analysis of enterprise from cultural dimension down to technical dimensions covering the indicated areas of concern in AI implementation. Therefore, the EA tool is sufficiently holistic in modelling the military enterprise structure.

The reflection of architectural analysis of the Blue Forces enterprise structure against eight key issues in AI implementation provides the enterprise architect with ten opportunities to accelerate the adaptation of AI and recognises four challenges requiring mitigation. Consequently, the EA tool recognises both driving and hindering forces within an enterprise.

The EA tool identified four inter-layer dependencies (ID) in implementing AI. Consequently, the EA tool recognises inter-dependencies through the enterprise structure compared to layer-oriented models.

Conclusions

The pragmatic research uses evolutionary enterprise architecture tool in analysing the opportunities and challenges in applying artificial intelligence features in a military enterprise.
The proposed EA tool covers the whole area of concern in an AI implementation. The tool recognises both opportunities and challenges that can be addressed in an AI implementation plan. The tool models also more complex inter-dependencies within the enterprise structure.
The EA tool appears to help military enterprise architects in analysing the status of military force aiming to benefit from artificial intelligence features. Nevertheless, this case study and the initial stage does not prove the feasibility of the EA tool entirely. Therefore, there is a need for further study both within the specific case study and possibly broader cases among Armed Forces to improve the EA tool.

Vulnerability in Pretty Good Privacy (PGP) and Secure MIME email encryption services

PGP is a public key encryption-based program that is used often to secure emails. S/mime is a standard defining the encryption of the email ensuring confidentiality, integrity and originality. Now experts have found a vulnerability that may allow outsiders to read even the earlier encrypted emails.

Münster University of Applied Sciences signalled on 14th May that PGP and S/MIME have both vulnerabilities enabling the third party to reveal the plain-text of ongoing encrypted email traffic and even access the earlier sent secure emails.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus ex-filtrating the plain-text to the attacker."

The following general advice may apply:

• Remove the installed and automatic PGP and S/MIME services from your email-service until the vulnerability has been patched
• Use other end-to-end email encryption services like Signal
• Wait for detailed analysis and guidance to remedy the services.
• Consider what has been sent earlier using the above encryption and assess the risks if they are revealed.

References

1. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now 
2. https://www.forbes.com/sites/thomasbrewster/2018/05/14/pgp-encrypted-email-vulnerability-exposes-private-messages/#61cbede13e2a
3. https://ssd.eff.org/en/module/how-use-signal-ios
4. https://efail.de/efail-attack-paper.pdf

Wi-Fi air interface will have a new encryption protocol, WPA3

Situation

The current Wi-Fi encryption protocol WPA2 has a weakness when joining a new node into network. A man-in-the-middle within the wireless coverage can manipulate, KRACK, the handshake procedure and reset the WPA2 encryption using all-zero keys. The assumed encryption is then substituted by a simple coding. Thea weakness is in the standards itself and affects all modern Wi-Fi networks. 

The Wi-Fi Alliance has announced a new standard, WPA3, will include “robust protection” when passwords are weak, and will also simplify security configurations for devices that have limited or no display interface. It will also include individualised data encryption when using public access network.

Solution

The Wi-Fi Protected Access 3 (WPA3) standard will be published later this year, but currently it seems to include:

• 192-bit key aligned with the Commercial National Security Algorithm
• Opportunistic Wireless Encryption which establishes encryption without authentication
• Protection against weak passwords and brute-force dictionary -based attacks
• Individualised data encryption when accessing open networks.

Once the standard is published, it will take months for device manufacturers to support it in their devices. First compliant devices may be shipped in the end of this year.

What to do

The following general advice may apply:

• The WPA2 vulnerability can be exploited only within the range of the Wi-Fi transceiver so all sensitive Wi-Fi should be positioned and effective radiated power configured so that outsiders find it hard to tap.
• A second layer of encryption should be established end-to-end (e.g., https, IPSEC, SSH) to protect the actual communication (COMSEC) and keep user identities and passwords safe together with the content.
• All sensitive Wi-Fi devices should be planned to be renewed within next two years.

References

1. https://www.helpnetsecurity.com/2017/10/16/wpa2-weakness/
2. https://www.theverge.com/2018/1/9/16867940/wi-fi-alliance-new-wpa3-security-protections-wpa2-announced
3. https://latesthackingnews.com/2018/01/12/wpa3-new-wi-fi-standard-improve-security/
4. https://thehackernews.com/2018/01/wpa3-wifi-security.html

Lazy hackers are automating their attacks

Introduction

Hackers are using widely bots (automated Web robots that run scripts over the Internet) to seek out and subvert vulnerable servers in Internet or Intranets they have gained access. Once the potential target is located, a human usually carries out the actual breaching operation. 

Cybereason company created a “honeypot” installation and observed first time an automated breach of system executed by a bot.

The automation and in future artificial intelligence enhanced bot will increase further the probability of the breach. Currently, Cisco security organisation blocks more than 20 million attacks every day including booby-trapped emails, malicious web pages, and new malware.

Threat case

About two hours after the “honeypot” server for the fake finance firm was put online it was found by a bot which then aggressively set about taking it over. Passwords to protect some of the server's functions were left intentionally weak to tempt the bot which duly cracked them and then went on to plunder information on the machine.

Within 15 seconds of getting access, the bot:

• sought out and exploited several known vulnerabilities
• scanned the network to which the server was connected
• stole and dumped credentials for other vulnerable machines
• created new user accounts for its creators to use.

Once the bot had done its work, the attackers went quiet for two days but returned to steal data to which the compromised server allowed access. In total, the attackers took about four gigabytes of data, all of which was fake.

Recommendation

Since the attacker is improving and automating their processes and tools so should the defender. Artificial Intelligence enhanced Security Incident, and Event Management systems will increase the probability of catching the crooks on-time, while the human operator cannot maintain focus all the time and is not able to reach far to the historical data.

References:

1. http://www.bbc.com/news/technology-43788337

Russian state-sponsored actor preparing network infrastructure devices for further cyber attacks

What is claimed to happen?

USA and UK issued a joint technical alert accusing Russian state-sponsored actors of mounting a malicious manipulation and cracking the Internet communications devices. The actor's target government institutions, private sector companies, and Internet providers. The operation has been monitored for months this far by FBI, US Department of Homeland Security and UK NCSC. The mission of this GRIZZLY STEP operation seems to be to prepare the network devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) servicing the target organisations to be a man-in-the-middle attack. Once the front yard network device is compromised, it can capture all IP traffic going through and act as packet capturer. 

How the action seems to take place?

1. Reconnaissance: Cyber actors scan the possible vulnerable protocols as Telnet, HTTP, SNMP, SMI. 
2. Weaponization: Actors trigger the device to send them their configuration file. The configuration file contains information like password hash values and SNMP community strings. These user credential are brute-force hacked to reveal the authorised Telnet or SSH login credentials.
3. Exploitation: Armed with real credentials, the actors access the network devices and activate for example Cisco SMI service thus gaining full control of the device. Once logged in, the actors can: 

• extract additional configuration information,
• export the OS image file to an externally located cyber actor-controlled FTP server,
• modify device configurations,
• create Generic Routing Encapsulation (GRE) tunnels, or
• mirror or redirect network traffic through other network infrastructure they control.

What to do?

The following general advice may apply:

• All network devices should be treated as any other server or PC in the network, harden them by removing unnecessary processes, update them regularly, prefer out-of-band management over in-band-management, install IDS detectors to monitor management traffic.
• For more detailed countermeasures visit the reference 2.

References:

1. https://www.theguardian.com/technology/2018/apr/16/us-and-uk-blame-russia-for-malicious-cyber-offensive
2. https://www.us-cert.gov/ncas/alerts/TA18-106A